Cannot connect to Symantec Messaging Gateway with PuTTY when CBC ciphers are disabled

book

Article ID: 156550

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When CBC ciphers for the Symantec Messaging Gateway (SMG) appliance are diabled via the sshd-config -c off command, attempting to connect to the command line interface (CLI) via the PuTTY ssh client results in an error message.

Couldn't agree a client-to-server cipher (available: arcfour)

Cause

PuTTY does not support the arcfour (RC4) cipher, only arcfour128 and arcfour256, so the client and server cannot agree on an encryption cipher to secure the communication.

Resolution

This issue has been addressed in Symantec Messaging Gateway version 10.0.1-2.

For versions prior to 10.0.1-2 there is no workaround for this issue that does not include using the less secure SSHv1 protocol.

The OpenSSH client used by various Linux distributions and Cygwin is able to negotiate a secure connection but, for now, the PuTTY ssh client is incompatible with SMG running with CBC ciphers disabled.  Please note that an ssh client that supports the basic arcfour cipher (arcfour) should be able to connect to SMG.